Securing a web service using OAuth in Cloud Access Manager

Learn how to secure a web service using OAuth in Cloud Access Manager (CAM), a web-access management solution from Dell Security that offers secure and unified access to all your internal and cloud-based web applications.

In this brief demo of Cloud Access Manager 8.1, we're going to be taking a look at the OAuth API capabilities. Essentially, what we're going to do is we're going to secure a web service using an OAuth access token. Now, this may seem complicated, but it's actually very easy to do with Cloud Access Manager. But before we jump into a demo, let's take a look at architecturally what exactly is happening.
So basically what I've done is I've created a web service. Let's open this up. We're going to call this the Weather Web Service. And inside the Weather Web Service, there are essentially two methods-- one called Get City. We're just going to put G C. The other one called Set City-- so we'll put this down here and say Set City.
So Get City is where you pass in the name of the city, and the Weather Service returns the weather for that city. Set City is more of an enhanced feature. That's where, if you are a weather authority, you're actually able to call that web service and program what the current weather is for that location. So this particular service, Get City, is generally a little bit less secure. You can call it My Weather Service if you want. However, this one I'm going to make sure I lock that down.
Well, basically what we've done inside this web service is we've used a very simple technology called WS Security, and I've said any time someone makes a call to this web service, I want you to check the WS Security header for an access token, an OAuth access token. I'm going to talk to you a little bit more about what's contained inside that access token in a minute. But before I do, let's talk about how I'm going to be calling that.
So the first demo is going to be calling it from a consumer service. And by creating a consumer service, there's a paradigm in OAuth that we're not going to be seeing, and that's a login screen. We're never going to see a login screen pop up where a consumer service can login. That's not going to happen with a service layer. A service layer is instead going to be using a client ID and a client secret, making an API call to Cloud Access Manager. So we'll put that down here. Here's CAM.
And, again, basically this consumer service, the first thing it needs to do is make an API call to a Cloud Access Manager and say, Hey, I'm going to be calling this Weather Service. I need an access token. So that access token is simply going to be returned back to the consumer service, and it's going to say, Here you go. Here's your access token. The consumer service is then ready to call the Weather Web Service. All right, so we're going to simply draw this out.
That access token going to be sent over to the Weather Web Service, where it's going to be consumed by the WS Security architecture. And again, you could do this in a lot of different ways. But essentially, the web service is going to look inside the access token and determine what access rights you have to the individual methods.
Now, there's a bit of a different paradigm, and that's the one where we do this interactively. I'm going to show that too. So in this case, we're going to be inside an application, and we have a user-- actually, two users-- that are actually going to be logging in using this application. They're going to get an OAuth UI, though. It's going to show an actual OAuth login screen from Cloud Access Manager. But aside from that difference, the rest of the interaction is basically the same.
So again, the application is going to show this user an OAuth login screen that's actually coming from Cloud Access Manager. Cloud Access Manager is going to reply with an access token. We're going to show that in new UI. And then the application can now start making calls to the web service using that access token.
Now, we're going to make one little change about the way that's being done, and you're going to see that when we show the demo. So again, go to your web service, write a security architecture. In this case, I'm using WS Security. It's simply expecting an access token in the security header. And then using that access token, I'm going to allow you to call either one of these services.
So let's take a look at how we set this up in Cloud Access Manager before we show the demo. Open up Cloud Access Manager, make our way to the administration screen, and then go take a look at two applications I have configured. One is called Company A. And if we open that up, we see inside Company A it's got a client ID, it's got a client secret, and there are scopes that are associated with this definition. One is Get City. We see that right there. And then finally, another one is called Set City. So this application definition basically says, using this client ID and this shared secret, you're allowed both of these scopes.
Now, let's cancel this and go take a look at Company B. Company B has its own client ID and its own shared secret but a limited scope. It's only got the ability for Get City.
So let's go take a look at this in action. The first thing we're going to take a look at is essentially a demo using a console application. It's not very exciting, but it does show how this is happening, and it's happening very easily and very quickly. So from a console application, we basically want to prove that we can get an access token without showing an OAuth login screen. And doing it through a console application

Related videos

See a walkthrough of the architecture in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.

Learn about how the Security Analytics Engine makes authentication easier in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.
(Part 2 of 2)

Learn how to configure a wildcard DNS entry in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.

Learn about how the Security Analytics Engine makes authentication easier in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.
(Part 1 of 2)

Join Todd Peterson, product marketing manager for One Identity, as he discusses challenges of context-based security and how the Security Analytics Engine provides an innovative solution to these problems.

Learn how to configure Facebook as a front-end social authenticator in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.

Learn how to configure Kerberos authentication in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.

Learn how to configure SSL certificates in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.

Learn how to configure roles in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.

Learn how to configure front-end authentication in Cloud Access Manager (CAM), a web-access management solution from One Identity that offers secure and unified access to all your internal and cloud-based web applications.